[systemd-devel] Sandboxing options
Christopher Wong
Christopher.Wong at axis.com
Mon Dec 21 09:32:51 UTC 2020
Hi Lennart,
Thanks for your reply! After some struggles I managed to figure out that I was missing the SECCOMP in systemd 244 that I was running. Once I have enabled SECCOMP and managed to build systemd with it then all the below options except for UMask was available for me.
I will leave UMask for now, no need to use it at this moment.
Best regards,
Christopher Wong
________________________________________
From: Lennart Poettering <lennart at poettering.net>
Sent: Saturday, December 19, 2020 11:28
To: Christopher Wong
Cc: systemd-devel at lists.freedesktop.org
Subject: Re: [systemd-devel] Sandboxing options
On Mo, 28.09.20 17:00, Christopher Wong (Christopher.Wong at axis.com) wrote:
> Hi,
>
>
> There are a bunch of sandboxing options that I am trying to enable
> but I got no effects when I am setting them. Below are the options
> that I am trying to set, but I can't seem to turn them on.
>
> LockPersonality=true
> MemoryDenyWriteExecute=true
> RestrictRealtime=true
> RestrictSUIDSGID=true
> RestrictNamespaces=
> SystemCallArchitectures=native
> #SystemCallArchitectures=option
> UMask=0000
> #UMask=0033
>
> I have enabled the following kernel configurations:
>
> CONFIG_NAMESPACES=y
> CONFIG_NET_NS=y
> CONFIG_USER_NS=y
> CONFIG_SECCOMP=y
>
> Is there anything that I am missing?
Maybe start with saying which distro you are using, which kernel,
which systemd version.
Give an example of the unit file you are using.
Are you using this in --user or --system mode? (Note that a bunch of
sandboxing settings are only available for --system).
Have you checked the logs? In particular after enabling debug logging
(systemd-analyze log-level debug).
Lennart
--
Lennart Poettering, Berlin
More information about the systemd-devel
mailing list